You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

over the last few days, my symantec endpoint poritection has found, quarnetined, and then deleted various .exe files that it says are corrupted with a trojanGen2 virus. i've turned my computer off (and on) a few times now, and each time i eventually get the same warning message. in other words, even though it seems the problem is effectively dealt with, it obviously is not.

an online search brought me to this forum, and i've attached the DDS log and attach files and also pasted the log fuile below. any help is greatly appreciated!

BC AdBot (Login to Remove)

Hi Scott! to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully:

My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.

Perform everything in the correct order. Sometimes one step requires the previous one.

If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.

Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.

Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.

If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.

If I don't reply within 24 hours please PM me!

Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

Step 1

Please run a FRST scan. This will help us diagnose your problem.

Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

Start FRST with administator privileges.

Make sure the option Addition.txt is checked and press the Scan button.

When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.

nice to hear from you, and thank you for the reply. below is what you requested from Step 1, the FRST and addition logs you requested: i will next do Step 2, and send you that in a next message. thank you!!!

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

CodeIntegrity Errors:
===================================
Date: 2014-12-06 15:47:35.439
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-06 07:39:35.972
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-06 00:22:28.116
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 21:22:53.460
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 17:37:58.851
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 11:05:02.501
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 10:08:00.234
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 09:42:15.881
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 07:55:18.922
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-05 07:23:25.487
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

(Temporary disable your AntiVirus and AntiSpyware protection - instructions here.If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.)

Step 1

Please download the attached fixlist and save it in the same directory as FRST.

Start FRST with Administrator privileges.

Press the Fix button.

When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.Please copy and paste its contents in your next reply.

i thought we had closed this case? the problem did seem to be with symantec. my university (who provides this software) suggested that i uninstall symantec and then reinstall a newer version (mine was 3 years old). i did that, and things seem to be working fine - no infected files are being detected!

That's it!
Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.

My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation:
Thank you!

Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.

DelFix should remove all our tools and delete itself afterwards. I don't need the log file.

If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

Adobe Reader X
Java 7 Update 71
Java™ 6 Update 27 (64-bit)

Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.